Fix SuiteB chain checking logic.

Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 7255ca99df1f2d83d99d113dd5ca54b88d50e72b)
author: Dr. Stephen Henson <steve@openssl.org> 2014-11-20 14:06:50 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2014-11-20 22:14:29 +0000
commit: 8d325d1d36fb46c49cf7f36e7c181a7034474d32 (patch)
tree: e97562a4eadb70424dc8ce811332f5f76307fc07 /ssl/t1_lib.c
parent: 03d14f58873470407de6120218b7e69fefd8b58f (diff)
1 files changed, 4 insertions, 7 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 8e802a2e3f..d02ae19d58 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -4240,13 +4240,10 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
 		if (check_flags)
 			check_flags |= CERT_PKEY_SUITEB;
 		ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
-		if (ok != X509_V_OK)
-			{
-			if (check_flags)
-				rv |= CERT_PKEY_SUITEB;
-			else
-				goto end;
-			}
+		if (ok == X509_V_OK)
+			rv |= CERT_PKEY_SUITEB;
+		else if (!check_flags)
+			goto end;
 		}
 
 	/* Check all signature algorithms are consistent with
author	Dr. Stephen Henson <steve@openssl.org>	2014-11-20 14:06:50 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2014-11-20 22:14:29 +0000
commit	8d325d1d36fb46c49cf7f36e7c181a7034474d32 (patch)
tree	e97562a4eadb70424dc8ce811332f5f76307fc07 /ssl/t1_lib.c
parent	03d14f58873470407de6120218b7e69fefd8b58f (diff)